MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ad88b48598633133d30a79c10cde8860cdf5a2d05ed4fd6227dd4a7449d02d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RemcosRAT


Vendor detections: 16


Intelligence 16 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ad88b48598633133d30a79c10cde8860cdf5a2d05ed4fd6227dd4a7449d02d9
SHA3-384 hash: a3b8d260569ed3639f5bb93687f4cb5b49cf52d2aeeaf432dfe7525906f53586c090a26487c517d82853004e43964024
SHA1 hash: 71e7c8649e85d7185cd09731a732906d784722c7
MD5 hash: 8121d5c5601989790f1eff4ec4877d95
humanhash: sad-maryland-stream-cup
File name:FAT8767890098765.exe
Download: download sample
Signature RemcosRAT
Create hunting rule
File size:988'527 bytes
First seen:2023-11-01 07:40:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (60 x Worm.Mofksys, 21 x SnakeKeylogger, 13 x MassLogger)
ssdeep 12288:GENN+T5xYrllrU7QY6pM0tK5Dm3FoB6KoOM4b5aMxXieUMyAyakwNEBMw0oR:K5xolYQY61Kd2FoUcJ8eUMoyDwx
Threatray 2'833 similar samples on MalwareBazaar
TLSH T1F9259C176600231BC4EEA8F134E621A7ADD21FE60F84A98757A1BE45F471E03B7E161F
TrID 38.2% (.EXE) Win32 Executable Microsoft Visual Basic 6 (82067/2/8)
34.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
14.5% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
4.9% (.EXE) Win64 Executable (generic) (10523/12/4)
2.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 8770d8d4d4d87087 (7 x RemcosRAT, 5 x Formbook, 1 x Loki)
Reporter abuse_ch
Tags:exe RAT RemcosRAT


Avatar
abuse_ch
RemcosRAT C2:
91.92.241.117:8787

Intelligence

File Origin
# of uploads :
1
# of downloads :
354
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
remcos
Create hunting rule
ID:
1
File name:
FAT8767890098765.exe
Verdict:
Malicious activity
Analysis date:
2023-11-01 10:48:17 UTC
Tags:
rat remcos keylogger stealer
Link:
https://app.any.run/tasks/e3cd05cd-a917-44b0-97c4-b6129fb4adb8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/457557/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Malware.Swisyn-9942393-0
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Malware.Swisyn-6803865-0
Create hunting rule

Win.Trojan.Gamarue-6972487-0
Create hunting rule

Win.Trojan.Kazy-304
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Creating a file
Creating a process from a recently created file
Creating a file in the %AppData% directory
Creating a process with a hidden window
Sending a custom TCP request
Setting a keyboard event handler
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Setting a global event handler
DNS request
Sending an HTTP GET request
Reading critical registry keys
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Setting a single autorun event
Launching the process to create tasks for the scheduler
Stealing user critical data
Enabling autorun
Enabling a "Do not show hidden files" option
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
explorer lolbin overlay packed packed shell32
Link:
https://www.filescan.io/uploads/654201192e754890e48008b3/reports/998b8df0-ccc8-4f2f-83e7-42ada3276957/overview
Verdict:
Malicious
Labled as:
Trojan.Swisyn
Link:
https://www.hybrid-analysis.com/sample/5ad88b48598633133d30a79c10cde8860cdf5a2d05ed4fd6227dd4a7449d02d9
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d8c3f0bf-5c85-476e-9fb5-beec6d8619a6
Result
Threat name:
CryptOne, Remcos
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1335327
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Contains functionality to bypass UAC (CMSTPLUA)
Contains functionality to modify clipboard data
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates an undocumented autostart registry key
Delayed program exit found
Detected CryptOne packer
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Sample uses process hollowing technique
Sigma detected: Remcos
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Costura Assembly Loader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1335327 Sample: FAT8767890098765.exe Startdate: 01/11/2023 Architecture: WINDOWS Score: 100 106 zxq.net 2->106 108 vccmd03.googlecode.com 2->108 110 6 other IPs or domains 2->110 134 Found malware configuration 2->134 136 Malicious sample detected (through community Yara rule) 2->136 138 Antivirus detection for URL or domain 2->138 140 21 other signatures 2->140 12 FAT8767890098765.exe 1 4 2->12         started        16 Chrome.exe 2->16         started        18 Chrome.exe 2->18         started        signatures3 process4 file5 86 C:\Users\user\Desktop\fat8767890098765.exe, PE32 12->86 dropped 88 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 12->88 dropped 160 Installs a global keyboard hook 12->160 20 icsys.icn.exe 3 12->20         started        24 fat8767890098765.exe 1 5 12->24         started        90 C:\Users\user\AppData\Roaming\chrome.exe, PE32 16->90 dropped 162 Antivirus detection for dropped file 16->162 164 Multi AV Scanner detection for dropped file 16->164 166 Machine Learning detection for dropped file 16->166 26 icsys.icn.exe 16->26         started        28 chrome.exe 16->28         started        30 chrome.exe 18->30         started        signatures6 process7 file8 82 C:\Windows\System\explorer.exe, PE32 20->82 dropped 142 Antivirus detection for dropped file 20->142 144 Multi AV Scanner detection for dropped file 20->144 146 Machine Learning detection for dropped file 20->146 148 Drops PE files with benign system names 20->148 32 explorer.exe 1 21 20->32         started        84 C:\Users\user\AppData\Roaming\Chrome.exe, PE32 24->84 dropped 150 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 24->150 152 Injects a PE file into a foreign processes 24->152 37 fat8767890098765.exe 3 16 24->37         started        39 fat8767890098765.exe 24->39         started        154 Drops executables to the windows directory (C:\Windows) and starts them 26->154 156 Installs a global keyboard hook 26->156 41 explorer.exe 26->41         started        43 chrome.exe 28->43         started        signatures9 process10 dnsIp11 94 vccmd01.zxq.net 51.81.194.202, 443, 49712, 49713 OVHFR United States 32->94 96 142.251.16.82, 49710, 49717, 49726 GOOGLEUS United States 32->96 104 2 other IPs or domains 32->104 74 C:\Windows\System\spoolsv.exe, PE32 32->74 dropped 76 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 32->76 dropped 112 Antivirus detection for dropped file 32->112 114 System process connects to network (likely due to code injection or exploit) 32->114 116 Creates an undocumented autostart registry key 32->116 124 2 other signatures 32->124 45 spoolsv.exe 2 32->45         started        98 80.76.51.172, 8787 CLOUDCOMPUTINGDE Bulgaria 37->98 100 91.92.241.117, 49720, 49721, 8787 THEZONEBG Bulgaria 37->100 102 geoplugin.net 178.237.33.50, 49723, 80 ATOM86-ASATOM86NL Netherlands 37->102 78 C:\ProgramData\remcos\logs.dat, data 37->78 dropped 118 Maps a DLL or memory area into another process 37->118 120 Sample uses process hollowing technique 37->120 122 Installs a global keyboard hook 37->122 file12 signatures13 process14 file15 92 C:\Windows\System\svchost.exe, PE32 45->92 dropped 168 Antivirus detection for dropped file 45->168 170 Machine Learning detection for dropped file 45->170 172 Drops executables to the windows directory (C:\Windows) and starts them 45->172 174 2 other signatures 45->174 49 svchost.exe 5 4 45->49         started        signatures16 process17 file18 80 C:\Users\user\AppData\Local\stsys.exe, PE32 49->80 dropped 126 Antivirus detection for dropped file 49->126 128 Detected CryptOne packer 49->128 130 Creates an undocumented autostart registry key 49->130 132 4 other signatures 49->132 53 spoolsv.exe 49->53         started        56 at.exe 49->56         started        58 at.exe 49->58         started        60 19 other processes 49->60 signatures19 process20 signatures21 158 Installs a global keyboard hook 53->158 62 conhost.exe 56->62         started        64 conhost.exe 58->64         started        66 conhost.exe 60->66         started        68 conhost.exe 60->68         started        70 conhost.exe 60->70         started        72 16 other processes 60->72 process22
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5ad88b48598633133d30a79c10cde8860cdf5a2d05ed4fd6227dd4a7449d02d9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ad88b48598633133d30a79c10cde8860cdf5a2d05ed4fd6227dd4a7449d02d9/
Threat name:
Win32.Trojan.Golsys
Create hunting rule
Status:
Malicious
First seen:
2023-11-01 07:41:05 UTC
File Type:
PE (Exe)
Extracted files:
51
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=llmiwsczqyzrgpjqu6obbtpiqygn6wrnaxwu7vrcpxkkore5almq._file
Verdict:
malicious
Label(s):
remcos
Create hunting rule
avemaria
Create hunting rule
Similar samples:
0600335f68fd4abbf652063700eae04d8cc336d3ea5f63d3a8bc2905d6bde8ec
RemcosRAT
54481a325fd753ad4d2217ffdb95058c1a7220d305600340c3ced465b1e0b265
RemcosRAT
683b1aa79c5e0658ad46b136527a047a44eac01c497133e379015d7902fb783b
RemcosRAT
73a8f239da349dabeba46f143311e8f5874589917a88e3f6cd64767c56dde3a2
RemcosRAT
887171e762ec83f7c3f9d12c11742c7e05e9382db50a9fe3268d266215708bf4
RemcosRAT
be8ccfb19dab5c8d7b4273dc77b34c7ca0afea516e6bf85f607904345a3ad54f
RemcosRAT
cb772b73e0d867d11872c40f7f25fead438f5647e73b401efb7a721ba423dfe3
RemcosRAT
d6fbf2f15cfb25c5d7b256955aec6d940799d33f008a76919b0592caa677ba48
RemcosRAT
d7d0ef85103c37670e81e7146a7170a6ca241b830a65e59aacf6407503dbbc39
RemcosRAT
e7ee6803b3198f660de53f1dea2b7e005d640829b246f6ef97583c61276a9ac0
RemcosRAT
+ 2'823 additional samples on MalwareBazaar
Result
Malware family:
remcos
Create hunting rule
Score:
  10/10
Tags:
family:remcos botnet:remotehost collection evasion persistence rat spyware stealer
Link:
https://tria.ge/reports/231101-jh4crscd71/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook accounts
Adds Run key to start application
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Modifies Installed Components in the registry
NirSoft MailPassView
NirSoft WebBrowserPassView
Nirsoft
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Remcos
Malware Config
C2 Extraction:
80.76.51.172:8787
91.92.241.117:8787
Unpacked files
SH256 hash:
504f4e8f76d5e170d5e8b4e12618a417b4d1737668fc857fc1f845d39d387575
MD5 hash:
6df7ec55b90a0ddc62010a9633635b98
SHA1 hash:
fbfc46ebaeae074480e40c0d958fda927f9a1446
Link:
https://www.unpac.me/results/16ed9b26-c1e2-4cfd-bf37-a82378c96091/
SH256 hash:
90637f87972c91a8918d0474aef9f58836b34652186981bf17989c2504dfb59b
MD5 hash:
2ac73a553f4bca7da1bfdda77b70724c
SHA1 hash:
64e609ceeea0be2084b2a5971aa3cbd405de9494
Link:
https://www.unpac.me/results/16ed9b26-c1e2-4cfd-bf37-a82378c96091/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/16ed9b26-c1e2-4cfd-bf37-a82378c96091/
SH256 hash:
bf0032c5c9efa666b168c736ea9396349e9995cc65c2ee9c24303e8c3a33c1cf
MD5 hash:
ae8f072b9502d2341a8893faaf1b8248
SHA1 hash:
0269c77f08302bab7563dc02145b1ea9f2956522
Detections:
Remcos
Create hunting rule
win_remcos_w0
Create hunting rule
win_remcos_auto
Create hunting rule
Link:
https://www.unpac.me/results/16ed9b26-c1e2-4cfd-bf37-a82378c96091/
SH256 hash:
5ad88b48598633133d30a79c10cde8860cdf5a2d05ed4fd6227dd4a7449d02d9
MD5 hash:
8121d5c5601989790f1eff4ec4877d95
SHA1 hash:
71e7c8649e85d7185cd09731a732906d784722c7
Link:
https://www.unpac.me/results/16ed9b26-c1e2-4cfd-bf37-a82378c96091/
Malware family:
Remcos
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ad88b485986/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/5ad88b48598633133d30a79c10cde8860cdf5a2d05ed4fd6227dd4a7449d02d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers
Rule name:INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients
Create hunting rule
Author:ditekSHen
Description:Detects executables referencing many email and collaboration clients. Observed in information stealers
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:ProtectSharewareV11eCompservCMS
Create hunting rule
Author:malware-lu
Rule name:QbotStuff
Create hunting rule
Author:anonymous
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vba
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SUSP_Imphash_Mar23_2
Create hunting rule
Author:Arnim Rupp (https://github.com/ruppde)
Description:Detects imphash often found in malware samples (Zero hits with with search for 'imphash:x p:0' on Virustotal)
Reference:Internal Research
Rule name:TeslaCryptPackedMalware
Create hunting rule
Rule name:yara_template
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/457557/

Comments